From a332ce9d0e87fab55f3d286690026fe075f624dd Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue, 26 Feb 2013 22:40:04 +0000
Subject: [PATCH] kauth: Fix overflow when writing ticket file

krb_write_ticket_file uses a fixed length buffer to store the name
of the ticket file, but copies into this from an environment variable.

Remove the fixed length buffer, and use a mixture of the variable
itself, and dynamically allocated strings.

Caught by coverity (#985909)

Change-Id: I997fd1812c45e730db39497a27a5e168f102fee5
Reviewed-on: http://gerrit.openafs.org/9294
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 src/kauth/krb_tf.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/kauth/krb_tf.c b/src/kauth/krb_tf.c
index ce1b2ebd9..1ccb76752 100644
--- a/src/kauth/krb_tf.c
+++ b/src/kauth/krb_tf.c
@@ -60,7 +60,6 @@
 afs_int32
 krb_write_ticket_file(char *realm)
 {
-    char ticket_file[AFSDIR_PATH_MAX];
     int fd;
     int count;
     afs_int32 code;
@@ -83,10 +82,15 @@ krb_write_ticket_file(char *realm)
      * back upon /tmp/tkt(uid}.
      */
     if ((tf_name = (char *)getenv("KRBTKFILE")))
-	(void)sprintf(ticket_file, "%s", tf_name);
-    else
-	(void)sprintf(ticket_file, "%s/tkt%d", gettmpdir(), getuid());
-    fd = open(ticket_file, O_WRONLY + O_CREAT + O_TRUNC, 0700);
+	fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+    else {
+	asprintf(&tf_name, "%s/tkt%d", gettmpdir(), getuid());
+	if (tf_name == NULL)
+	    return ENOMEM;
+	fd = open(tf_name, O_WRONLY | O_CREAT | O_TRUNC, 0700);
+	free(tf_name);
+    }
+
     if (fd <= 0)
 	return errno;
 
-- 
2.39.5